前端之家

  1. 首页
  2. 问答

使用Midpoint将用户添加到ldap组

问答

我想使用Evolveum Midpoint将用户添加到现有ldap组中。 我有一个变态

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="8dc821c4-b7ef-4092-a1b3-1a6ff437b0ed" version="11">
    <name>Metarole for groups</name>
    <inducement id="5">
        <construction>
            <resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" relation="org:default" type="c:ResourceType">
                <!-- OpenLDAP TEST -->
            </resourceRef>
            <kind>entitlement</kind>
            <intent>Group</intent>
        </construction>
    </inducement>
    <inducement id="6">
        <construction>
            <resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" relation="org:default" type="c:ResourceType">
                <!-- OpenLDAP TEST -->
            </resourceRef>
            <kind>account</kind>
            <intent>default</intent>
            <association id="7">
                <c:ref>ri:group</c:ref>
                <outbound>
                    <expression>
                        <associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                                <kind>entitlement</kind>
                                <intent>Group</intent>
                            </projectionDiscriminator>
                        </associationFromLink>
                    </expression>
                </outbound>
            </association>
        </construction>
        <order>2</order>
    </inducement>
</role>

资源配置中的关联:

<association id="15">
                <c:ref>ri:group</c:ref>
                <displayName>LDAP Group Membership</displayName>
                <kind>entitlement</kind>
                <intent>Group</intent>
                <direction>objectToSubject</direction>
                <associationAttribute>ri:member</associationAttribute>
                <valueAttribute>ri:dn</valueAttribute>
                <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
                <shortcutvalueAttribute>ri:dn</shortcutvalueAttribute>
           </association>

以及相应的对象类型:

<objectType id="16">
            <kind>entitlement</kind>
            <intent>Group</intent>
            <default>true</default>
            <objectClass>ri:groupOfNames</objectClass>
            <baseContext>
                <objectClass>ri:organizationalUnit</objectClass>
                <filter>
                    <q:equal>
                        <q:path>attributes/dn</q:path>
                        <q:value>ou=groups,dc=test1,dc=test2,dc=test3,dc=test4</q:value>
                    </q:equal>
                </filter>
            </baseContext>
            <attribute id="21">
                <c:ref>ri:member</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
                <outbound>
                    <strength>strong</strength>
                    <expression>
                        <value>cn=dummy,o=whatever</value>
                    </expression>
                </outbound>
            </attribute>
            <attribute id="22">
                <c:ref>ri:cn</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <outbound>
                    <strength>weak</strength>
                    <source>
                        <c:path>$focus/identifier</c:path>
                    </source>
                </outbound>
            </attribute>
            <attribute id="23">
                <c:ref>ri:description</c:ref>
                <outbound>
                    <source>
                        <c:path>description</c:path>
                    </source>
                </outbound>
            </attribute>
            <attribute id="20">
                <c:ref>ri:dn</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
                <tolerant>true</tolerant>
                <exclusiveStrong>false</exclusiveStrong>
                <outbound>
                    <source>
                        <c:path>$focus/identifier</c:path>
                    </source>
                    <expression>
                        <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
                            <code>
                                                    import javax.naming.ldap.Rdn
                                                    import javax.naming.ldap.LdapName

                                                    dn = new LdapName('ou=groups,dc=test4')
                                                    dn.add(new Rdn('cn',identifier.toString()))
                                                    return dn.toString()
                                       </code>
                        </script>
                    </expression>
                </outbound>
            </attribute>
            <activation>
                <administrativeStatus>
                    <outbound id="9">
                        <strength>weak</strength>
                        <expression>
                            <c:path xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="t:ItemPathType">$focusExists</c:path>
                        </expression>
                    </outbound>
                </administrativeStatus>
            </activation>
        </objectType>

该角色已分配给自定义角色,而该自定义角色已分配给用户。不幸的是,仅当LDAP中不存在组时,该方法才有效。当它确实存在时,我得到了错误:

com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException:错误处理帐户(无ID,类型为“ Group”,资源:8a83b1a4-be18-11e6-ae84-7301fdab1d7c(OpenLDAP TEST)):违反约束:发现具有属性{... / resource / instance-3} dn的冲突现有对象dn = [cn = pre-test3,ou = groups,dc = test1,dc = test2,dc = test3,dc = test4]:shadow:f14ebe2c -61f6-4069-8ca2-1b41324fed3b(cn = pre-test3,ou = groups,dc = test1,dc = test2,dc = test3,dc = test4)

这可能是什么问题?

format_88 回答:使用Midpoint将用户添加到ldap组
暂时没有好的解决方案,如果你有好的解决方案,请发邮件至:iooj@foxmail.com
identityldapopenldap
本文链接:https://www.f2er.com/3095645.html

大家都在问